Friday, February 27, 2009

If you ever watched the TV series, Star Trek, The Next Generation, you probably saw the holodeck. The holodeck is this amazing bit of technology where the ship's computer can somehow manipulate molecules into becoming physical manifestations of the computer program it is running.

Based on the program you put into the computer, you can walk into a 1920's speakeasy, take a voyage on a seventeenth century pirate ship or converse with a famous personality, learn new skills or play in a rock band.

Those are the good programs. I have to wonder if anyone monitors the holodeck to see what crew members are really doing in there.

Like anything else that has a positive use, the holodeck could just as easily be used for nefarious activities, including all sorts of simulated depredations. I wonder what child porn laws are like in the 25h century and if these virtual children created by the holodeck program would be a basis for prosecution if abused by a real pedophile using the program.

Not that they would allow pedophiles on-board a 25th century starship, of course.

My point is that the line between the virtual and the real is becoming ever more blurred in today's world.

The thin veil of anonymity is being pierced more and more often by both governments, hackers and even regular people.

I don't know if you have seen the commercial that is running these days about the girl who keeps getting recognized by all the strangers, where they ask her things like, "Hi Sara, what color panties today?" or "Hey Sara, when are you going to post something new?".

These guys are obviously not her intended audience. The problem is that when you post something on the internet, the world is your audience. And you can't take it back.

Could that be your child?

People form on-line relationships that end up destroying marriages when they fall in love with an avatar of some person on-line.

People connect to the internet, leaving their virtual doors and windows wide open to passersby. Not all of them benevolent. Consider the MSNBC story in my last post where they show how easy it is to harvest personal information right from people's computers using the same technology that opens the computer up to this invasion.

As hard as it is to believe, people are still regularly being fleeced by scammers who send them emails promising riches in exchange for just placing some money in an account in anticipation of millions of dollars coming from a dethroned prince or ambassador who needs to get money out of the country.

People are still getting duped by ever more sophisticated phishing scams. The phishers have gotten very, very good at duplicating legitimate web sites to fool you into thinking that the email requesting that you update your personal information really came from your bank or PayPal or E-bay.

No company or organization that has your password will ever send you an email asking for it. They just don't need to do that.

All because many of us are trusting people navigating blind in a place full of virtual sharks and barracudas.

The other thing that I noticed in the MSNBC story about the peer to peer file sharing programs allowing access to personal information was the complete unconcern that the teenage girls are using the program to illegally share music.

The parents acted just like this was fine and dandy. And the MSNBC announcer went on about how the girls just love to share music with their friends. Hello, it is still illegal to do that folks.

Little foxes. When we allow our kids to participate in illegal or unethical practices because we are either too lazy to understand what they are doing or don't see any harm in a little pirated music, we are telling them that some laws are okay to break.

I have long opined that when history looks back on this era, the Internet will be considered one of the best and worse things to happen to society.

Where else can you access thousands of books and articles on virtually any subject? You can get an entire education via podcasts from iTunes University, or attend a university completely on-line.

You can strike it rich, sell an idea, make new business connections, communicate with friends and family. All without leaving the comfort of your home.

The flip side of course is that you can lose your life savings, access horrific images, both legal and illegal. Your children can get an entire education on things you would rather not think about.

You can view terrorist groups beheading people, or you can download child porn.

Your kids can freely be approached by child predators and pedophiles.

All without leaving the comfort of your home.

The problem is that so many people, especially people who are currently raising kids, don't seem to know much about computers or the Internet. So they ignore the whole thing, saying stuff like, "My kids are so smart on the computer. I can barely get my email."

Well, wise up and get smart about the computer and the Internet. Do your duty as a responsible adult and monitor your kids.

Just because you don't understand it, does not mean you can abdicate your responsibility to children who depend on you for protection.

The line between the virtual of the Internet and the reality of impact on your life or your children's lives is much thinner than you might imagine.

Thursday, February 26, 2009

I wrote about the dangers of buying used computers and selling your computer or giving it away without properly removing information. Here is an MSNBC story about a dad who bought his daughter a used laptop.

Sunday, February 22, 2009

As you probably know by now from reading my blog, I do a lot of murder cases for the defense.

Some of them are pretty high profile. Especially the capital murder cases. I also work other kinds of cases for the defense; sex crimes, fraud, while collar crimes, etc.

I also do quite a bit of civil work on both sides, for the plaintiff or for the defense, depending on who hires me.

Over the years, I have really appreciated the willingness of the attorneys I have worked for to share information with me. By including me in the team, I have been able to be very successful in helping attorneys get to the facts in cases involving electronic evidence.

However, from time to time, and this happened recently, I get on a case where the attorney is not willing to share all the information.

This puts a strain on my relationship with the attorney and impedes my ability to do a complete and thorough job.

Now, I may be out of line, since I don't work with other experts much. I have no idea how attorneys approach them or work with them or share information with them.

However, computer and other electronic evidence is very broad in scope and can yield information that is unexpected when viewed through the lens of a complete review of the evidence in a case.

In my most successful cases, I have found things that have helped clients avoid the death penalty where in other circumstances they surely would have gone down that path.

I have located information in civil cases that have saved clients a lot of money in potential legal fees and jury awards.

Sometimes, the best thing I do is to get information that allows an attorney to negotiate a good plea agreement or civil settlement for the client where going to trial would be costly and less than optimal.

Getting back to my original point, if the attorney is not willing to give me information, I cannot connect the dots in a case or be innovative in my search of the electronic evidence in ways that might not be immediately apparent until I have studied everything in the case.

I know it is probably unusual for an expert to want to review all the discovery in a case, or at least to get whatever information the attorney might be thinking along the lines of their "theory." However, I do not know of any other expert specialty that touches so many aspects of a case.

The bottom line is, if the attorney that hires me does not trust me enough to give me information, I will do the best job I can with the information I get. However, this is a little like cutting off your nose to spite your face as they say down here in the South.

I realize that many attorneys have not dealt with computer forensics experts very much, and in many cases that I get, they have never dealt with a computer forensics expert.

I am not the guy you want to keep information from when that information may very well lead me to find just the thing you most need to know in a case.

If you as an attorney are worried about confidentiality, I can understand that. On my side, maintaining confidentiality is part and parcel to what I do.

If you hire me, you can expect complete confidentiality on my part. If you hire me, I expect full disclosure on your part.

Friday, February 20, 2009

Those are probably two of the most important questions on anyone's mind when considering their first career or a career change.

While the general consensus seems to be that the field of computer forensics is exploding, I am not sure I agree with that conclusion.

The other thing to consider is that right now, the IT market is collapsing, with the number of job openings shrinking as people are getting laid off, setting up a situation where there are more applicants seeking fewer job opportunities.

If anything, the largest growth in the employment market for computer forensics people is going to continue to be in the law enforcement sector. The government continues to put money into new forensics labs and they need staffing.

The quandary is that many law enforcement agencies will not use civilian employees for computer forensics work, but insist on using sworn employees.

The typical path in law enforcement is to become a police officer or special agent, and then spend a number of years doing general police work. After that, you might have an opportunity to move into computer forensics.

In the private sector, I have not seen much of any indication of new job openings in this field, especially not for people just entering the field. Most of the job openings I have seen have been for experienced examiners.

With an influx of highly trained and experienced IT people entering the job market via layoffs, the competition for IT security jobs and entry level forensics jobs is going to get tougher.

Also, it appears that the US is lagging behind in computer forensics growth compared to the UK and other european countries. For instance, on Forensic Focus , I see many more job vacancies for UK posts than US posts.

A search for the term Computer Forensics on Dice returned 52 openings and the same search on Monster returned 85 openings.

SimplyHired returned 1282 openings against a database of 2.7 millions job postings. This was higher than I expected to be honest. However, not all of these are pure computer forensics jobs. Some are sales, engineering and such. However, when I clicked on several of the hits to review the jobs, some were no longer valid links.

The problem for people new to the field is that there are very few entry level jobs available.

That doesn't mean you can't get a job, it just means that it may take longer to land a position than you might like.

What about certifications?

Honestly, the truth about certifications is that they really only serve two purposes; Getting you an interview or for impressing people to get accepted as an expert in court.

Experience outweighs certifications every time. So if you lack experience, then getting a certification is probably worth it. Bear in mind that getting certified does not make you a better examiner. As with most licensing or certification tests, the goal is to answer the questions to satisfy the testers, not to demonstrate real skill or knowledge. Even the "practical" portions of some of these certifications are more about guessing what they are looking for than performing real world analysis work.

The trick about certifications is that they are an industry unto themselves. For instance, to get to sit for some certifications, you must demonstrate a certain level of training that is of course, provided at a hefty price by the certification company.

Getting the training is a good idea if you can afford it so you can properly use a particular product or technique. I am all for training and would rather see that on a resume than a certification any day.

While I believe that this field will grow at a healthy rate, and I do think jobs will be available, it is important to understand that the narrower your field of specialty, the fewer jobs there are, period.

Patience and preparation is a must. As well as deciding if you are willing to work as a sworn officer for a number of years to get into some law enforcement positions.

Also, be willing to enter a company in a related position to get in the door, with the idea and hopefully a conversation at the outset, that your goal is to practice in your specialty when the opportunity arises.

Wednesday, February 18, 2009

As much as some people who enter this field would prefer to stay in the lab, there are times where you will have to get out in front of the public. Some of these are deal breakers for people thinking about entering the field. Probably the most common one is the possibility of having to testify in court. If you are not someone who can at least tolerate speaking in public, then this can be especially unnerving. Not only will you be required at some point to perform this particularly difficult form of public speaking, you will have to do it with your professional reputation on the line.

However, from some of the testimony I have seen in court transcripts, whether or not your reputation can truly be damaged by poor testimony is questionable.

As an expert, your testimony can have a profound impact on a case, whether it is a civil matter, a child custody case or a capital murder case where someone’s life is at stake.

The reason your testimony can have a profound impact on a case is because the attorney has decided that your testimony is important enough to risk putting you on the stand. Putting any expert on the stand is a risk. Why is that? Experts can be brilliant in the lab and stupid on the stand. Experts can be charming and personable in normal situations and turn stiff and distant on the stand. Experts can be eloquent in the conference room and totally fail to communicate in the courtroom.

Having an expert testify who manages to alienate the jury or who makes mistakes on the stand can hurt a case very badly.

When you think about what a computer forensics examiner really does, he or she bears the same burden of responsibility that any investigator in a case bears. It is up to the examiner to properly locate and expose information that relates to a case. Whether that information helps or hurts the client, as an expert, your responsibility is to present that information to the client and or counsel. If is not up to you to make value judgments. Nor are you an advocate.

One thing that all examiners share is the likelihood of having to read or view things that will have a lasting effect on them. This is more likely for the law enforcement examiner who has to cover child pornography cases.

As an examiner, you will end up viewing a great deal of pornography. That is the nature of the job. You will be exposed to images on computers that will shock and disgust you. I have seen everything from dismembered bodies, medical deformities, sexual torture and sexual mutilation to horrific disfigurements while scanning through pictures on computers that I have examined. And these are the legal images.

When people choose to enter law enforcement or other fields that deal with crimes against persons and accidents and other medical emergencies, they have an expectation that they will be confronted by these situations. Although some of the situations I have heard about from police I have worked with seem almost unbearable to have witnessed.

Some of the most horrific things you can witness are crimes against children. When you view a picture of a child being molested or a movie of a child being molested or exploited, you are viewing a crime in progress. In the case of a picture, it is one moment of that child’s misery frozen in time. In the case of a movie, you are seeing a record of the crime that is preserved so it can be viewed time and again by persons who enjoy watching a child being molested to the point of imagining themselves in the role of the adult in the movie.
While viewing crime scene photos of murders have an effect that lasts a long while. Viewing child pornography images may not remain crystal clear in your mind forever, but the emotional impact of seeing them probably will.

Why would I or anyone else work to defend people who have these images on their computer? Believe it or not, not everyone is guilty. It is for those few that I work cases, to insure that an innocent person does not get punished for a crime simply because the state had the leverage of an expert on their side. I am not saying that law enforcement does anything wrong in these cases. But I will say that simply showing that something is present has long been enough to get a conviction without the evidence being properly challenged. Because there are now, and have been, almost no computer forensic experts who will work sex crime cases for the defense.

Thursday, February 12, 2009

There are a lot of people who post about wanting to get into the field of computer forensics. People who are just interested in the field, soon to be graduates of the many new computer forensic degree programs, or IT folks thinking about a career change.

And there are many people who post about whether or not computer forensics is the right career choice for them.

The typical response on the forums is, "If you have a passion for technology and love to learn new things, then this might be the right field for you."

While having a passion for technology and getting down in the details of computer data and file systems is definitely a pre-requisite for this type of field. There are some things that anyone who is considering this as a vocation should contemplate before deciding if this is the right career path.

While computer forensics is a technology centric field, it is also a people centric field.

There is an old axiom; "If you really want to know someone, live with them for a while."

Here is a new axiom for today's electronic age; "If you really want to know someone, do the forensics analysis on their computer."

Before I continue, I need to emphasize that I love this field of work. I choose to do this not for the technology part, but because I think I can make a difference for people by doing forensics work.

Don't get me wrong, I am a geek that loves technology and the challenge of continuously learning just to stay abreast of the current advances in storage and operation systems, etc. But the technology is really a small part of the job, once you begin to see what an examiner sees.

And this is especially true when you think about what the impact of your work has on the people involved in cases. And the impact it can have on you.

When you examine someone's computer, you are looking into their lives in a very intimate way. Nothing is really hidden from you.

Depending on the type of cases you take on, you will see and read things that can have a real emotional impact on you.

When you start looking though someone's email or their internet history or their chat logs, their personal notes and documents, even their choices of music and entertainment, you will begin to get to know that person in ways many others will not.

You will become a party to their secrets. Secrets that you cannot talk about, since that will violate confidentiality. So you will get to carry those secrets, whether you want to or not.

And then you may have to interact with that person with a demeanor that reveals nothing about what you have learned about that person. Because that person might be your client.

Defeating computer forensics is an attempt to prevent data from being recovered and used in a criminal or civil case. The idea is to make it impossible for a computer forensics examiner to find evidence by doing something to a computer or hard drive to make it unrecoverable.

Challenging computer forensics can occur when an examiner does recover evidence and it is used as part of a civil or criminal case.

There are two significant reasons to understand the process of challenging digital evidence:

1. As the primary expert examiner, you must understand how an opposing expert goes about challenging your findings.
2. As the opposing expert, you must understand how to go about challenging the findings of the primary expert.

Many people might think that evidence equals facts and therefore, how can you challenge facts? It is or it isn't there.

While that is true in a sense, the question that must be raised is whether or not those facts really apply to the issue at hand.

Probably the number one mistake I see people make is assuming that if the other side does not find incriminating evidence, that there is no need to use an expert examiner in a case.

However, that completely overlooks the possibility of that same set of evidence providing exculpatory facts that can be used to challenge the other side's case, independent of whether or not they plan to introduce digital evidence.

As one of the very few defense experts out there, I spend the majority of my time challenging the findings of law enforcement examiners.

Every case has something I call challenge points; Steps in the overall processing of evidence have specific points where mistakes are commonly made by the person executing that particular phase of an investigation.

However, beyond that, in many cases I work, law enforcement may not have found anything on the computers to support their case. Defense attorneys I work with will still get the computers for me to examine to make sure that there isn't something there that will support the innocence of their client.

On the other side of the fence, where I am the primary examiner in a civil case or in a domestic case, being aware of those challenge points makes me focus on being a better examiner.

In civil cases, rules are not as stringent as they are in criminal cases. However, properly doing an examination to the same standards as a criminal case makes it much harder for my findings to be challenged if the other side has an expert of their own.

And since you never know when a civil or domestic case will turn into a criminal case, your standards must be at a level that they are defensible by you in a court of law.

My point is that you should never make assumptions about a case where computer or cell phone forensic evidence is part of the case.

Just because the other side didn't find something to use, you may find something that can be used to provide a challenge to the overall case.

Saturday, February 7, 2009

You would think that with all the legislation being created these days to toughen laws regarding child porn that someone would decide that file sharing programs should be outlawed.

Here are the primary four reasons to have file sharing software on a computer:

1. To download copyrighted music for free.2. To download copyrighted movies for free.3. To download copyrighted software for free.4. To download porn, including child porn.

I do realize that quite a bit of open source software is distributed using bittorrent and other P2P networks. And this is a legitimate use for this kind of software.

From the Bittorrent Web Site

What Is BitTorrent?

BitTorrent is the global standard for delivering high-quality files over the Internet. With an installed base of over 160 million clients worldwide, BitTorrent technology has turned conventional distribution economics on its head. The more popular a large video, audio or software file, the faster and cheaper it can be transferred with BitTorrent. The result is a better digital entertainment experience for everyone.

BitTorrent is a protocol (a set of rules and description of how to do things) allowing you to download files quickly by allowing people downloading the file to upload (distribute) parts of it at the same time. BitTorrent is often used for distribution of very large files, very popular files and files available for free, as it is a lot cheaper, faster and more efficient to distribute files using BitTorrent than a regular download. (Emphasis is mine.)

Talk about marketing spin.

What surprises me is that parents, when told about the issues with this software, don't consider it to be a problem if their child is only downloading illegal music. Seems like a moral dilemma to me.

If you stop to consider that having this software running on a computer is going to be primarily used for illegal activities, why wouldn't it fall into the same category as drug paraphernalia or burglary tools?

The issue of course is that a crowbar is a crowbar until it becomes a burglary tool.

It is pretty obvious that this software is used to swap a tremendous amount of child pornography, based on the number of people getting caught using the software for that purpose via Operation Fairplay or whatever that particular activity is called in a local jurisdiction.

("Operation Fairplay" is the backbone for monitoring the P2P file sharing networks.)

Based on published reports, as many as six hundred thousand computers in the US have child porn files on them or transmitted to them via these networks.

While I work these types of cases on the defense side, that does not mean that I think that child porn is acceptable in any way. In fact, if I never heard of another child porn arrest, that would be a good day. Because, hopefully, that would mean that children were no longer being victimized to support this nefarious industry.

Of course, that will never happen.

Obviously, you cannot control the Internet, but you can legislate what is legal to have on a computer.

Sadly, this would present an even larger problem for law enforcement simply because these programs are installed on, I am guessing here, millions of computers in the US.

Now I am not saying that everyone who has this type of software on their computer is going to use it to do something illegal.

File sharing software is file sharing software until it becomes a piracy tool.

I know that most people believe that once they purchase a CD or a DVD, they should have the right to share it. However, becoming a distributor via file sharing networks is the same as burning and giving away thousands of copies of that same music or movie.

Most reasonable people would consider that to be piracy, but since file sharing programs handle it all transparently, people don't think about it the same way.

Kind of like using a credit card is not the same as spending real money.

Now I know that many people will disagree with me on the music thing. And I really don't care about that so much.

The blog is written by Jim Hoerricks. Jim is a Photoshop Instructor, an Author, and a court qualified expert witness in Forensic Video Analysis who also happens to work for a law enforcement agency in one of the US' major metropolitan areas.

About EX FORENSIS

This is where I share my thoughts on the digital forensics field, talk about recent court rulings that impact digital forensics and anything else that comes to mind; mostly serious, sometimes not so much.

All writings on this blog are the original works of the author, Larry E. Daniel, unless otherwise stated, and are subject to the copyright laws of the United States.

Disclaimer

I am not an attorney. Nothing I post in this blog is intended to be, nor should be considered as legal advice. If you have a legal question you should seek the services of a licensed attorney in your area. Guest authors or others who are invited to post here are covered by the same disclaimer. Nothing on this blog is legal advice.